This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
BrandonMohammed
Beginner
Beginner
‎2017-05-09 04:22 PM

Issue authenticating to rsa ace server radius from checkpoint firewall

Hi Im connecting our checkpoint firewall to our rsa ace server running radius and getting an error everytime I login to checkpoint via ssh with the account created in rsa authentication manager. I see this error in the activity monitor

 

User “testuser” attempted to authenticate using authenticator “SecurID_Native”. The user belongs to security domain “SecurID_Native”

 

reason 

Authentication method failed

I am not using any tokens yet only the local password and fixed passcode for the user in ace.

I also followed the implementation guide for my version of checkpoint. Any clues or help would be appreciated. Cheers

0 Likes
Reply
12 Replies
EricaChalfin
Employee (Retired) Employee (Retired)
Employee (Retired)
‎2017-05-09 04:42 PM

Brandon Mohammed‌,

 

The authentication method failed message with RADIUS is typically a mismatch in the shared secret between the RADIUS client and the Authentication Manager server.  Resetting it should resolve the issue.

 

Please take a look at 000028896 - Troubleshooting RSA Authentication Manager 8.1 native SecurID and RADIUS authentication issues for more information.

 

Regards,

Erica 

0 Likes
Reply
BrandonMohammed
Beginner
Beginner
In response to EricaChalfin
‎2017-05-09 04:54 PM

I tried resetting the secret getting same result.

0 Likes
Reply
EdwardDavis
Employee
Employee
In response to BrandonMohammed
‎2017-05-10 08:11 AM

First,  verify the user can login somewhere else with the fixed passcode, like the self-service console page.

 

Auth method failed usually means the digits or passcode received are the correct number of characters, but the system could not figure out the tokencode or pin from them, but shared secret is usually correct. If the shared secret was incorrect you would get passcode format error instead of auth method failed, and the passcode would actually decrypt into a huge string the system could not understand, [and would be 20 characters or more]...

 

To prove/deny the shared secret and isolate the issue, get on command line as root and run tcpdump and make a packet capture of the login attempt. Then load the pcap file into wireshark sniffer, and edit wireshark radius protocol section and put the shared secret there. Now when you look at the packet in wireshark the passcode/password field will be decrypted and you will see if that is your fixed passcode, something else, or garbage characters.

 

-------------------------------------------------------

example: if using radius port 1812 (or change to 1645)

a) access command line as rsaadmin

 

b) become root with 

sudo su -

and rsaadmin password again

 

c) tcpdump -i eth0 udp port 1812 -nn -s 0 -w /tmp/radcap.pcap

 

d) do your login attempt

 

e) stop tcpdump with ctrl-c

 

f) use winscp or filezilla or any sftp program, and log in and copy the pcap file out of /tmp

and load it up in wireshark

 

g) edit wireshark preferences and edit the protocols, radius section, and put in the shared secret it should be using

if correct, under the username will be the passcode or fixed passcode that got transmitted,

if incorrect it will be a long string of garbage

--------------------------------------------------------------------------------------------------------------------------------------

example: the correct shared secret in wireshark and in the setup, [my fixed passcode for user zaz is 4444]

pastedImage_1.png

if this was the wrong code but correct digits long

(the length matches the expected length of any of the fixed passcode or authenticators the user owns)

it would say auth method failed, and anyhow you would see clearly if somehow the code is

getting changed in the transmission somewhere.

 

example: incorrect shared secret, same user and fixed passcode

pastedImage_2.png

Bunch of garbage instead of 4444, and this would fire a passcode format error as it is definitely longer than any possible passcode.

0 Likes
Reply
BrandonMohammed
Beginner
Beginner
‎2017-05-11 12:02 PM

sorry didn't have time to try to tcpdump yet. I actual created the user account on the management server with authentication method of radius and that allowed me to connect directly to the gateway with the account on rsa using a fixed passcode only once. After I login that first time it does not allow that account to login with the fixed passcode  again until I completely reset that fixed passcode again.  And when I uncheck the fixed passcode option on the user account it gives me an error in activity monitor that one of the authenticators are missing. We really just want to use the accounts actual set password only for now until we buy tokens.

0 Likes
Reply
EricaChalfin
Employee (Retired) Employee (Retired)
Employee (Retired)
In response to BrandonMohammed
‎2017-05-11 12:32 PM

Brandon Mohammed‌,

 

A newly created fixed passcode is like an RSA SecurID token in New PIN Mode and needs to go through the new PIN process.  Let's say an RSA admin named Alice defines a fixed passcode for a user named Bob as 87654321.  Alice provides Bob the fixed passcode and he tries to authenticate with it to the firewall.  He enters his user ID and for the passcode enters 87654321, which gets passed to the Authentication Manager server.

 

The Authentication Manager server does not know if Bob is using a token or a fixed passcode.  It sees a flag in it's database that this authenticator is new and will pass a prompt back to Bob, asking him to create a PIN.  What Bob should do here is create a new fixed passcode and, for example, enter 12345678.  The interface should then request that he wait for the tokencode on his hardware or software token to change and enter the passcode again.  Since he is working with a fixed passcode, all Bob needs to do is enter 12345678 again and he should get a successful authentication.  For subsequent authentications, Bob enters 12345678 as his passcode.

 

Regards,

Erica

0 Likes
Reply
BrandonMohammed
Beginner
Beginner
In response to EdwardDavis
‎2017-05-11 01:01 PM

Untitled1111.pngok ran a tcpdump and put the secret into wireshark and I do see the fixed passcode shown.

So after it works with the first try a second login attempt fails. See all screenshots

 

 

 

Untitled5.pngUntitled6.png

0 Likes
Reply
BrandonMohammed
Beginner
Beginner
‎2017-05-11 01:35 PM

so Erica it seems like that is what is happening but how can I set the passcode if im not prompted on the remote device? Can I use the ssc or the oc to set this passcode after first initial use.

0 Likes
Reply
BrandonMohammed
Beginner
Beginner
In response to BrandonMohammed
‎2017-05-11 01:56 PM

ok I tried the security console with my test user and got prompted to create a new passcode. Thanks to your response Erica. Appreciate all of your help here all of you.

Reply
EdwardDavis
Employee
Employee
In response to BrandonMohammed
‎2017-05-11 02:10 PM

that is because the fixed passcode is asking to be changed on it's first use, using the

new pin prompting process...

 

all new fixed passcodes allow the user to change it on first use, so only the user knows

what it is, even the admin won't know it (unless you are the admin too)

 

 

 

-give a user a new fixed passcode (again) uncheck and recheck it...and set it

 

-next, go log into the self service console as that user and use the fixed passcode

 

-the self service will ask you to change the fixed passcode, so please change it to a new fixed passcode

 

-Now, after going though that 'first use of a new fixed passcode change procedure',

the fixed passcode is permanent (more or less) and doesn't need a change any more (unless policy requires it)

 

and now try using the new permanent fixed passcode on your radius agent. it should consistently work

0 Likes
Reply
© 2022 RSA Security LLC or its affiliates. All rights reserved.